Banks' Governance and Controls over Internal Capital Adequacy Processes
David Palmer and Paul Sternhagen
Federal Reserve Board
Among the integral elements of an institution's internal process for assessing its capital adequacy, also known as the capital adequacy process (CAP), are the governance and controls over that process.1
Comprehensive and sound governance and controls are vital to ensure that an institution's CAP is functioning as it should, and that decisions regarding capital adequacy are made in a rigorous manner.2 This includes the ability of the CAP, at large U.S. banking organizations, to meet the requirements of the Federal Reserve's Capital Plan Rule and annual Comprehensive Capital Analysis and Review (CCAR) exercise.
Together, an institution's board and senior management should establish a comprehensive, integrated and effective CAP that fits into the broader risk management of the institution. This chapter will discuss the key elements of the governance over a CAP, such as:
- strong board and senior management oversight, including periodic review of the institution's risk infrastructure, and loss- and resource-estimation methodologies;
- evaluation of capital goals;
- assessment of the appropriateness of stress scenarios considered;3
- regular review of any limitations and uncertainties in all aspects of the CAP; and
- approval of capital decisions.
The chapter will also outline the sound internal controls that help govern an institution's CAP, and help ensure the integrity of the CAP and its results, including:
- policies and procedures;
- change controls;
- model validation and independent review;
- comprehensive documentation; and
- review by internal audit.
Board of Directors
The board of directors has ultimate oversight responsibility and accountability for the entire CAP. It should be responsible for key strategies and decisions, define the culture of the organization and set the "tone at the top." The board is ultimately responsible for the institution's CAP, even if the board is not intimately involved in the details.
The board of directors should make informed decisions on capital adequacy for the organization, and not just ratify recommendations made by senior management. The board of directors should receive sufficient information to understand the institution's material risks and exposures, and to inform and support its decisions on capital adequacy and capital planning. The board should receive this information at least quarterly, or when there are developments that affect capital adequacy or the manner in which it is assessed (such as major CAP methodology changes).
Capital adequacy information provided to the board should include capital measures under current circumstances, as well as on a post-stress, pro forma basis, and should be framed against the capital goals established by the institution taking into account obligations to external stakeholders. The board should receive clearly developed pro forma financial results and trend analysis, with sufficient granularity on key entities, lines of business or portfolios, as appropriate. It should also see the impact of loss and resource estimates on the existing and prospective capital positions for both expected or "baseline" conditions and stressful ones. Additionally, the board should receive an analysis explaining the differences in results between baseline and stressful conditions for all key capital measures.
Board members should have a clear and detailed understanding of the institution's capital policy, including knowledge of the institution's capital goals and the need to maintain certain capital levels to satisfy key stakeholders. The board should approve the capital policy and review it on at least an annual basis.
In its review of capital information, the board should determine whether the stressful conditions applied in the CAP, including scenarios, are current, sufficiently severe and relevant to the organization's risk profile and business activities. In addition, the information provided to the board should include a discussion of key limitations, assumptions and uncertainties within the CAP, so that the board is fully informed of any key weaknesses in the process and can effectively challenge reported results before making capital decisions. The board should also receive summary information about mitigation strategies to address key limitations and take action when weaknesses in the CAP are identified, applying additional caution and conservatism as needed.
Institutions with better practices in this area have boards that fully understand the risks, exposures, activities and vulnerabilities that affect the institution's capital adequacy. They also understand the major sources of loss and revenue changes in the CAP, and the major drivers of changes in capital positions and ratios. Strong boards challenge information provided by senior management by asking key questions, drilling down into certain areas and/or requesting additional information. For example, boards that have evidenced more engagement in the CAP have asked specific questions around loss forecasts for high-risk/run-off portfolios, new product portfolios, a stress scenario's impact on business strategy/growth initiatives and other aspects of the pro forma capital analysis that are more heavily reliant on underlying management assumptions. Importantly, they recognize that CAP results are estimates and should be viewed as part of a range of possible results. Another good practice is for the board to receive information about past CAP performance. Effective boards also discuss identified weaknesses in the CAP, whether they need to take immediate action to address those weaknesses and whether the weaknesses are material enough to alter their view of current CAP results. They also discuss whether a sufficient range of potential stress events and conditions has been considered in assessing capital adequacy, including idiosyncratic events and outcomes.
Institutions should provide quantitative reports to the board that include cogent summaries, as well as underlying detail that is easily accessible. Reports should also include information about the validation and independent review of models and other quantitative tools that produce results, especially if they have identified limitations, shortcomings and uncertainties. Institutions should provide a full list of assumptions underpinning CAP results and a discussion of the impact if those assumptions do not hold. In addition, strong boards review summary reports from internal audit to ensure that all identified issues are incorporated into board discussions.
A key concern is when the board does not challenge results and information, accepts whatever is provided to it by senior management, and provides only a cursory review and challenge of management recommendations. It is also concerning when there is evidence that board members are not fully aware of--or knowledgeable about--risks, exposures, activities and vulnerabilities, or do not have a good understanding of how loss and resource estimates are generated. Some boards may not have an understanding of the capital policy, are unaware of stakeholder expectations regarding capital adequacy, or simply look at minimum ratios to gain comfort with post-stress outcomes--practices that are not acceptable. Another concern is when boards make little attempt to look at past CAP performance and help determine how the CAP functions over time.
One of the most concerning shortcomings is when capital distribution recommendations do not include all relevant information, such as sufficiently stressful conditions the institution might face, and appear optimistic. In some cases, key assumptions that underpin the CAP are not specifically identified, challenged, and analyzed. In other cases, board members do not receive information about governance and controls over the CAP, and do not ask questions about how CAP processes ensure that reliable and credible results are produced.
Senior management is responsible for ensuring that CAP activities authorized by the board are implemented in a satisfactory manner, and is accountable to the board for the effectiveness of those activities. Senior management should ensure that the CAP as a whole functions effectively. In doing so, senior management is also responsible for all the CAP control functions described below, and for ensuring that the CAP contains appropriately stressful conditions for assessing capital adequacy. This includes ensuring that scenarios of sufficient stress are included, and that those scenarios together cover all material risks and vulnerabilities facing the institution.
Using appropriate information, senior management should make informed recommendations to the board of directors about the institution's capital, including capital goals and distribution decisions. Senior management should ensure that proposed capital goals have sufficient analytical support and fully reflect the expectations of key stakeholders. The capital policy should provide a clear indication of how the institution aligns with stated capital goals on a post-stress basis and an explanation of management's proposed remedial actions if those goals are not met. Senior management should identify all weaknesses in the CAP, as well as key assumptions, limitations, and uncertainties, and evaluate them for materiality (both individually and collectively). It should also have remediation plans for any weaknesses affecting CAP reliability or results.
At institutions with better practices, senior management maintains an ongoing assessment of all CAP areas, identifying and clearly documenting any weaknesses, assumptions, limitations, and uncertainties, and does not consider a "one-time" assessment of the CAP to be sufficient. Management considers all quantitative and qualitative information about the CAP, including reports from internal audit, and looks across all areas to determine if there are any combined/correlated weaknesses. Management has very clear remediation plans for identified weaknesses, with specific timelines. In some cases, based on its review of the full CAP, senior management makes more cautious or conservative adjustments to CAP results or recommends more cautious or conservative capital decisions.
Also of value is when senior management expresses some sense of "humility" about its ability to predict future outcomes, conveys "information skepticism," and recognizes the prevalence of uncertainty. In some cases, management adjusts its recommendations to the board--including for capital actions-- based on identified weak- nesses and uncertainties. Senior management also includes key CAP assumptions, weaknesses, and uncertainties in reports and specifically points them out to the board.
Of concern is when senior management does not conduct a holistic review of the CAP and/or does not have a full understanding of key assumptions, limitations, weaknesses, and uncertainties. In some cases, senior management ignores identified issues, such as audit findings related to the CAP. In other cases, senior management has incomplete, poorly developed, or outdated remediation plans to address identified weaknesses.
An institution should appropriately document the key decisions about capital adequacy--including capital actions--made by the board of directors and senior management, and describe the information used to make those decisions. The decisions should be appropriately codified, formally approved and retained for future reference and decisionmaking. Having a formal documentation process for capital decisions not only provides transparency about, and a history of, decisions made, but also creates additional discipline for decisionmaking.
Better practices in this area include board minutes that describe clearly how decisions are made and what information was used. In addition, there should be evidence that the board exercised an appropriate challenge of results and recommendations, including asking critical questions of senior management or reviewing information indicating that senior management has asked itself those questions. This can include having the board review key assumptions and process weaknesses and, in some cases, reviewing analysis showing the sensitivity of capital to alternative outcomes. On the whole, there should be evidence that sufficient information was considered for decisionmaking at all levels.
Weaker practices in this area include when board minutes are very brief and opaque, with little reference to information used by the board to make its decisions. Another area of concern is when the board appears to be affirming past decisions without any new analysis. It is also problematic when senior management recommendations are difficult to understand or do not have any supporting information.
Scope of Internal Controls
An institution's internal control framework should encompass the entire CAP, including the risk measurement and management systems used to produce input data, the models and other techniques used to generate loss and resource estimates, the process for making capital adequacy decisions and the aggregation and reporting framework used to produce management and board reporting. While institutions naturally may develop components of their CAP along separate lines, the control framework should ensure that the separate components come together in a coherent manner. Overall, the set of control functions in place should provide confirmation that all aspects of the CAP are functioning as intended.
Better practices in this area involve viewing the CAP controls on an integrated basis and ensuring they are applied consistently. These controls are viewed as a strong "second line of defense" to ensure the CAP functions effectively. Management should respond quickly and effectively to any issues identified by CAP controls and devote appropriate resources to continually ensure controls are functioning effectively. Management should also foster a culture in which control staff is accorded sufficient stature, authority and respect within the entire organization. In addition, institutions with better CAP controls ensure that they are used in key process flows and at key decision points in the CAP, demonstrating that they understand where controls are needed most (such as to avoid potential conflicts of interest or to ensure effective challenge).
In some cases, solid controls exist in certain areas but are not consistent on a holistic basis. For example, there may be sound controls in given business lines, but not in others. Some institutions might incorrectly view controls as more of an afterthought or a compliance exercise just to satisfy supervisors; this approach is often evidenced by the lack of stature of control staff in the organization. In certain cases, management is not fully aware of control lapses or devotes little attention to ensuring that controls are sound. A major concern is when key control lapses have been unaddressed for some time or occur in fundamental areas, such as capital decisionmaking.
Policies and Procedures
Institutions should ensure they have policies and procedures covering the entire CAP, including a specific capital policy. Policies and procedures should ensure a consistent and repeatable process for all components of the CAP, and provide transparency to third parties for their understanding of an institution's CAP processes and practices. Policies and procedures should be comprehensive, relevant to their use in the CAP and periodically updated and approved. Policies and procedures should include sufficient detail for each aspect of the CAP. There should also be evidence that management and staff are adhering to policies and procedures in practice, and there should be a formal process for any policy exceptions. Such exceptions should be rare and approved appropriately. Policies should be reviewed and updated at least annually, and more frequently when warranted.
Institutions should have a specific capital policy containing guide- lines used for capital planning, capital issuance, and usage and distributions. A capital policy should include: internal capital goals; quantitative or qualitative guidelines for dividends and stock repurchases; strategies for addressing potential capital shortfalls; and internal governance procedures around capital policy principles and guidelines. It should be a distinct, comprehensive written document that addresses the major components of the institution's capital planning processes, and links to--and is supported by--other policies (risk management, stress testing, model governance, audit, etc). A capital policy should provide details on how an institution manages, monitors, and makes decisions regarding all aspects of capital planning.
A capital policy should also describe targets for the level and composition of capital, and provide clarity about the institution's objectives in managing its capital position. The policy should explain how the institution's capital planning practices align with the imperative of maintaining a strong capital position and being able to continue to operate through periods of severe stress. It should also specify the capital metrics that senior management and the board use to make capital decisions. In addition, a capital policy should include governance and escalation protocols that are clear, credible, and actionable in the event an actual or projected capital ratio target or capital level target is breached. In addition to an annual review of policy by the board, institutions should establish a minimum frequency (at least annually) and other triggers for when its capital policy is reevaluated, and ensure that these triggers remain relevant and current.
Better practices for policies and procedures are when they are clearly an integral part of sound risk management and capital planning. Institutions ensure that policies are clear and comprehensive, allowing a third party to gain a good sense of how actions are carried out. It is also important to see that CAP policies and procedures are followed in practice--for example, institutions with better practices make reference to policies when making decisions and taking actions, have established protocol for making policy exceptions, and exhibit few variances with policy.
Weaknesses in policies and procedures can include insufficient coverage or lack of detail. In other cases, policies do not clearly outline roles and responsibilities of groups or individuals involved in a given process. Concerns arise when policies lag or are inconsistent with practice, or when policies are violated with no protocol for approval. Both issues raise concerns that the policies are written just as compliance exercises and are not serving as governing documents. Other concerns are when policies and procedures are developed or applied inconsistently across the CAP--i.e., that some areas are determined to be more important that others, or some policies are inconsistent or even contradict one another.
Ensuring Integrity or Results and Change Controls
Specific to the CAP, an institution should have internal controls that ensure the integrity of reported results and the documentation, review and approval of all material changes to the CAP and its components. An institution should ensure that change controls exist at all levels of the CAP.
An institution should have controls to ensure that management information systems (MIS) are robust enough to support analysis for the CAP, with sufficient flexibility to run ad hoc analysis as needed. Furthermore, an institution should have specific reconciliation and data integrity processes related to key capital adequacy reports. An institution should have an established process for presentation of aggregate, enterprise-wide results, describing any adjustments made in the aggregation process. There should also be an objective party to ensure that reports provided to senior management and the board contain the appropriate level of detail, are accurate, and timely. The review should also assess whether the institution complies with its internal capital targets/guidelines, and check whether the rationale for any deviations from stated capital objectives (either significant excesses or shortfalls) are clearly documented and approved. The different review procedures referenced above can be conducted with different frequency, subject to such considerations as the institution's internal audit cycle, the CAP reporting frequency, timing of capital plan development and updates, etc. At a minimum, however, key elements of the CAP should be subject to quality assurance assessments no less than annually.
Ensuring that good information flows exist to support good decisions, with clear investment in controls for data and information, is a leading practice in this area. For example, some institutions have an unbiased, internal party not involved in developing projections check the numbers for accuracy, and ensure formally reported numbers are given extra scrutiny and cross-checking. In addition, institutions with better practices have strong MIS in place across the CAP to be able to collect, synthesize, analyze and deliver information quickly and efficiently. These systems also have the ability to run ad hoc analysis as needed in one or two days without employing substantial resources.
Strong change controls include a variety of activities covering different elements of the CAP. Examples are access and editor controls over risk models used in the development of capital adequacy analysis (e.g., loss- and resource-estimation models), maintenance of the CAP policy environment to ensure that roles and responsibilities reflected in key policies are consistent with the institution's practices, and standards related to the level of support and management sign-off required to breach limits or deviate from stated policies and processes. Strong change controls are vital to the maintenance of an appropriately formal and repeatable process over time, allowing for process improvements to be integrated into the CAP, defining the bounds of management discretion and ensuring a transparent audit trail with respect to material process changes.
Some institutions exhibit a strong "culture of information," as all staff recognize the importance of data and the need to keep it up-to-date. Further, all information presented is effectively challenged by appropriate parties within the organization. All estimates and projections are recognized as such, and information about uncertainty associated with those estimates and projection is presented to users so they can question and challenge where necessary.
Performance of the CAP can be inhibited by slow, antiquated, and/or inaccurate MIS. Of most concern are cases in which data corrections indicate that management may have made different decisions in the past if they had accurate data. In other cases, MIS might be siloed and different systems are not fully compatible, require substantial human intervention to reconcile, or require extensive time to produce meaningful and reliable information.
Validation and Independent Review
An institution should conduct validation and independent review of all models used in the CAP, consistent with existing supervisory expectations on model risk management.4 Models should be independently validated or otherwise reviewed by unbiased parties. The validation and review process should include: (i) an evaluation of conceptual soundness, including supporting developmental evidence; (ii) an ongoing monitoring process that includes verification of processes and benchmarking; and (iii) an outcomes analysis process that includes backtesting (as appropriate for the different models used within the CAP). An institution should ensure that there is effective challenge with respect to the evaluation of all key models used within the CAP. Validation staff should have the necessary technical competencies, sufficient stature within the organization, and appropriate structural and/or functional independence.
An institution should maintain an inventory of all models used in the CAP, including all input or feeder models. Higher-risk and higher-impact models should receive additional attention, and be subject to more frequent validation and review. Consideration should be given to the use of models under stressed conditions if models were developed originally for use under baseline economic/ financial environments. There should also be a process to incorporate compensating controls if model weaknesses and uncertainties are identified.
Many institutions maintain an updated inventory of all models used in the CAP based on a clear definition of what constitutes a model. Institutions with better practices ensure that models have been validated for their intended use, such as a model designed for business-as-usual modified to be used for stress testing. Such institutions are also transparent about the validation status of all CAP models, and appropriately address any models that have not been validated or have identified issues by restricting model use, putting compensating controls in place, or using benchmark or challenger models to help confirm the output of the primary model. Institutions with better practices acknowledge shortcomings in model risk management and have plans in place to remediate those quickly.
Nearly all institutions continue to face challenges in conducting outcomes analysis of their CAP stress-testing models given limited realized outcomes against which to assess projections. However, some institutions do not attempt to compensate for challenges in outcomes analysis by conducting additional sensitivity analysis or other types of validation work. Other common deficiencies include failure to validate some models used in the CAP (including some high-impact stress-testing models), treating the output from models that have not been validated the same as the output from validated models, and lack of effective challenge by validation staff. In certain cases, institutions are not able to identify all models used in the CAP or scoped some models out of validation. In other cases, institutions rush validation work, even though work may not be complete or rigorous. Additionally, validation does not always cover management overlays or judgemental adjustments to model output. The challenge process can be ineffective at some institutions because those validating or reviewing models have conflicts or are not unbiased. Another shortcoming is when validators do not have sufficient technical expertise or familiarity with business lines or the intended use of models.
An institution should have clear and comprehensive documentation for all aspects of its CAP, including its risk measurement and management infrastructure, loss- and resource-estimation methodologies, the process for making capital decisions, and efficacy of control and governance functions. Documentation should contain sufficient detail, accurately describe the institution's practices, allow for review and challenge, and provide relevant information to decision-makers.
Comprehensive and clear documentation is an important but often overlooked aspect of the CAP. Institutions should ensure that all areas of the CAP are documented and establish standards for detailed, comprehensive, and current documentation. For instance, an institution might establish minimum documentation expectations that must be met before validation or key decisions can occur. Greater emphasis on documentation can also help ensure that proper change controls are in effect. Better documentation includes non-technical executive summaries for longer documents. Institutions should ensure that they are provided with thorough documentation from vendors or other external parties.
Key red flags for documentation include logic, math, or egregious typographical mistakes, as well as outdated references. Concerns also arise when institutions' validation or audit staff has not been able to understand how a given CAP practice or process functions based on the documentation provided.
Internal audit should play a strong role in evaluating the CAP and its components. A review of the full CAP, not just the individual components, should be performed by audit periodically to ensure that the entire end-to-end process is functioning as expected and in accordance with the institution's policies and procedures. Reviews by audit should have sufficient scope, frequency, and depth, covering all material aspects of the CAP. Audit staff should have the appropriate incentives, competence and influence to identify and escalate key issues. Internal audit should review the manner in which CAP deficiencies are identified, tracked, and remediated. Audit should report regularly on the status of the CAP to senior management and the board, presenting key findings as needed. An institution should have a process for addressing audit concerns in a timely manner.
Institutions with better practices place strong emphasis on having high-quality internal audit involvement in the CAP by providing a comprehensive, robust review of all the CAP components in some depth, including all the control areas discussed above (e.g., model risk management, change controls, and compliance with policy). Institutions with strong internal audit for the CAP have strong issue identification and remediation tracking. They also ensure that audit has strong technical expertise, strong stature in the organization, and proper independence.
Lagging practices include incomplete audit coverage of the CAP or the use of cursory or high-level reviews for some areas. Other weak practices include when internal audit provides few or superficial findings and does not follow up to ensure issues are remediated. In other cases, senior management does not pay full attention to audit findings or is slow in addressing them. Another cause for concern is when supervisors uncover key issues that audit has missed in its review.
Importantly, institutions should recognize that internal controls are not just a bureaucratic "checklist," but rather constitute an integral and dynamic element of sound risk management and capital planning. For example, institutions should conduct an end-to-end review of the CAP in series, not just as one single event that tries to capture everything at one time to simply "tick the box." Senior management should evaluate the end-to-end assessments of the CAP, ask specific questions about its elements, and respond to any findings from the assessments. Further, the board should be briefed on the end-to-end assessments, with any key issues brought to their attention.
This chapter has described the sound governance and controls to support an institution's CAP. Governance and controls over a CAP are especially important given the breadth and depth of practices, processes, and issues covered in the CAP. These include strong oversight of the entire process and comprehensive internal controls at every step. While some practice described in the chapter may appear more mundane and less "interesting" than other aspects of capital planning, without them a CAP's results will not be reliable and credible. In fact, an important contributor to sound capital planning is paying attention to key details that to some might seem irrelevant, but are in fact very important. Among other things, these can include comprehensive policies and procedures, rigorous model validation, detailed documentation, and strong change controls. By focusing on these and other important details, institutions can provide a strong foundation and infrastructure that helps produce credible, relevant, reliable, and consistent CAP results.
1. The expectations articulated in this chapter relate to large banking organizations. For a more comprehensive discussion of U.S. supervisory expectations and the range of practices for capital planning at large banking organizations, see: Capital Planning at Large Bank Holding Companies: Supervisory Expectations and Range of Current Practice (PDF), August 2013. Return to text
2. It is important to note that the capital adequacy process described in this chapter is equivalent to an internal capital adequacy assessment process (ICAAP) under Pillar 2 of Basel II. Accordingly, the expectations articulated here relating to the CAP are essentially the same as for the ICAAP. Return to text
3. For information on governance over stress testing used in capital planning, see David Palmer, "Governance over Stress Testing" in Akhtar Siddique and Iftekhar Hasan (Eds.), 2013, Stress Testing: Approaches, Applications, and Methodologies (London: Risk Books), pp, 1–14. Return to text